The Green Sheet Online Edition
May 11, 2009 • Issue 09:05:01
PCI: Taking the proper path
The Payment Card Industry (PCI) Data Security Standard (DSS) is becoming increasingly visible - and painful - to almost everyone in the payments industry, but the distress can be minimized with the right approach and understanding of what is really going on.
A mistake many ISOs, processors, banks and even security solution vendors make is to think of PCI as a security issue only. PCI must be treated as a business challenge: Those who ignore this wind up with a series of narrow technical successes that fail to add up to real business success, a situation all too common today.
Diligence pays off
Implementing changes required by the PCI DSS can be slow and painful. PCI compliance is a business problem because the security measures are targeting business operations. Compliance failure comes with significant penalties, such as fines; the threat of permanent damage to a company's reputation; and the inability to be PCI DSS certified.
Furthermore, the PCI DSS is a complicated business issue because it is trying to get everyone in the payments industry to change certain core business behaviors, including:
- Transaction handling
- Business operations
- Staff management
- Prioritization of issues and procedures
Substantive changes are always painful and difficult to make. The promised rewards seem close but often never quite arrive. That means the industry as a whole needs to use every tool possible to decrease its pain while actively rewarding those who make the effort to do the right thing.
Although there has been movement in this direction, we are not there yet. The right strategy for PCI implementation is neither obvious nor simple.
So it's not surprising that few ISOs, banks and processors have found the right strategy for dealing with the PCI DSS. However, the payments industry can take action to ameliorate this problem. It's important to keep the following ideas in mind when addressing this issue and seeking effective solutions.
Focus on the big picture
It's easy to see validation - the "paperwork" of PCI - or even compliance as the real target of the PCI DSS, but that is shortsighted and an ineffective way to address the full scope of what PCI entails.
Everyone's goal throughout this process should be improved security, which is genuine control over the risks that arise from using information systems. PCI compliance is only a bonus feature of the real, constructive things you should be doing.
Think about what your challenges are. The details of PCI compliance are not the same for everyone. The right strategies and solutions for one organization might be a poor fit for another.
One example is that larger, more sophisticated merchants have one set of security needs and challenges, while the vast number of smaller merchants have a completely different set. This puts different types of stress on their partners and service providers.
Watch out for sharks
Be deeply suspicious of security vendors who promise to solve every problem and specialize in providing every possible type of solution. Some of them are essentially saying, "You're in luck. As it happens I'm a heart surgeon, a mechanic and I do windows." Instead of falling for this, identify solutions and partners that work to solve your specific business issues and problems.
Choose the right tools. One of the ways in which the PCI DSS is still immature is that those shaping the entire program are not using the full set of tools to get the job done. There is significant focus on trying to get the right behavior out of banks, ISOs and merchants via penalties and threats. However, there should be more emphasis on incentives and rewards.
I believe that with the right technologies and services, PCI compliance can and should be driven by letting ISOs and others make reasonable profits from driving the desired changes forward.
Resistance to the idea that solving this problem is up to us typically comes from security specialists who underestimate the business challenges involved and who think it should all be done only one way. But this sort of mandate-driven thinking is essentially a hangover from the days when security was largely a governmental issue.
The PCI DSS is tackling a very different problem, and we are already seeing new solutions and new approaches to PCI implementation.
One other thing to keep in mind is that data security and PCI compliance are always an ongoing process, not an event that pops up on your calendar and then can be forgotten until next time. True security requires changes in daily habits and operations, which is another reason why ongoing rewards are valuable, and annual audits and penalties should not be the main tool for driving the process.
Audits and paperwork are similar to annual health checkups: an important tool, but if you're trying to get and stay healthy you shouldn't just circle that day on your calendar and think in terms of getting through the test.
We've all seen major security breaches recently where the company in question, and even the auditors, seemed to care more about the test than the underlying reality of the breaches' causes and effects.
Reach out to partners
Work with your partners. The PCI DSS emphasizes that your security is not completely contained inside your own world. You are dependent on your partners, vendors, ISOs and overall supply chain in inescapable ways, increasingly making security compliance a collective responsibility.
That means in-house and home-grown solutions are going to become more awkward and ineffective because they put up barriers to sharing and coordination. Ideally, what you should look for is a solution that creates a common way for you and your partners to work together.
While doing so, keep in mind that your partners are different from you. They will need a solution that recognizes those differences and one that doesn't force you into a one-size-fits-all straightjacket.
Keep an eye on your vendors. PCI is a new world, and in many ways, it's still like the Wild West. Most vendors are looking to expand their customer base, and too many - even ones with a good reputation when it comes to their core offerings - are doing so by promising things they can't deliver or that simply don't exist. Take the time to put them to the test, rather than rely on reputations based on other products or other times.
Being cognizant of these issues will help you put together a solution that gives you what you really need - successes with the narrow technical issues that actually build to make business success and that let you take on the challenges of PCI in an efficient, productive way.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.